Security Incidents mailing list archives

Re: CodeRed Observations.

From: Þórhallur Hálfdánarson <tolli () tol li>
Date: Thu, 13 Mar 2003 23:22:54 +0000

Hi

When you notice these packets, are there *never* SYN packets?

I'm thinking: firewall at other end blocking only SYN outbound (quite unlikely if you're getting it by hundreds, but, 
hey, one never knows :)


Regards,
Tolli

-*- larosa, vjay <larosa_vjay () emc com> [ 2003-03-13 18:28 ]:

Some of the systems respond to a ping, none respond to
any HTTP requests. It doesn't mean that they are not 
firewalled from incoming traffic though. 

vjl

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]
Sent: Thursday, March 13, 2003 12:13 PM
To: 'larosa, vjay'; incidents () securityfocus com
Subject: RE: CodeRed Observations.

Ok, here's another thought...is the IP address that the traffic apparently
originates from actually accessible, and is it running a vulnerable IIS?  I
would think that if someone wanted to hide an attack, they'd hide amidst a
huge amount of varied attack noise, rather than something so homogenous (and
expected) as this.

-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay () emc com] 
Sent: Thursday, March 13, 2003 11:59 AM
To: 'Rob Shein'; larosa, vjay; incidents () securityfocus com
Subject: RE: CodeRed Observations.

Hi Rob,

I'm not saying that the worm is stateless. I am saying that 
the traffic I am seeing at my border firewalls (codered 
strings) are not part of established sessions (stateless). I 
was just trying 
to figure out if this had something to do with the new 
outbreak, or if 
somebody is trying to trick me in to ignoring packets they 
don't want me to see, so they are throwing a stateless attack 
at me to hopefully hide the real attack under the guise of 
CodeRed. Call me crazy but paranoia is my middle name.

vjl

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]
Sent: Thursday, March 13, 2003 11:50 AM
To: 'larosa, vjay'; incidents () securityfocus com
Subject: RE: CodeRed Observations.

I'd be careful and make sure, if I were you.  I don't think 
that the worm is stateless, as it wouldn't be able to spread 
if it just sent data over TCP without establishing the 
handshake first.  When you just PSH without handshaking 
first, your data gets rejected.

-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay () emc com]
Sent: Thursday, March 13, 2003 11:32 AM
To: 'Rob Shein'; larosa, vjay; incidents () securityfocus com
Subject: RE: CodeRed Observations.

There are no filters in place for viewing the firewall logs.
Even if there were, the attacks I am seeing are even targeted 
to IP addresses that are not up and on-line in my network. So 
how would a "get default.ida?XXX" string be sent to a host that 
is,

a) Not up on the network.
b) Behind a firewall that blocks ALL incoming port 80.

If there is no three way handshake to set up a TCP session
I should not see this data trying to flow to my hosts (Dead
IP's or even live IP's). The traffic I am seeing is stateless 
(Stick/Snot). 

vjl

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]
Sent: Thursday, March 13, 2003 10:57 AM
To: 'larosa, vjay'; incidents () securityfocus com
Subject: RE: CodeRed Observations.

Check your filters.  You might be looking at traffic through
a selection filter that doesn't show the handshake, so that 
you can concentrate on the content that passes back and 
forth.  That's what I usually find to be the case when 
someone makes this kind of observation...

-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay () emc com]
Sent: Wednesday, March 12, 2003 7:48 PM
To: 'incidents () securityfocus com'
Subject: FW: CodeRed Observations.

Hello,

I have been watching this recent spike in CodeRed

activity and one

thing I am noticing is the lack of TCP session

establishment. I am

seeing common get strings like this showing
up at my firewalls without ever establishing a TCP three

way handshake. I

have seen several
hundred packets with in the last two days similar to this

at my firewalls.


47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET

/default.ida 3F

58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

?XXXXXXXXXXXXXXX 58 58

58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX

58 58 58

58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX 58

58 58 58

58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX

Snip------------------------------------------------------------------

----
------------------------------------------------------

I find it awfully strange that there is no handshake

(not even a

single SYN to try and establish a session) but these

packets show up

anyway. I also am not seeing an increase of port 80
scans in my firewall logs or with any of my IDS sensors. Is

anybody else

out there seeing the
same things we are?

Thanks!

vjl

V.Jay LaRosa                           EMC Corporation
Information Security                  4400 Computer Dr.
(508)898-7433 office                  Westboro, MA 01580
(508)353-1348 cell                     www.emc.com
888-799-9750 pager                   larosa_vjay () emc com


--------------------------------------------------------------
--------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>


-- 
Kveðja,
Tolli
tolli () tol li

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

FW: CodeRed Observations. larosa, vjay (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- Re: FW: CodeRed Observations. Russell Fulton (Mar 13)
- <Possible follow-ups>
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - RE: CodeRed Observations. Rob Shein (Mar 13)
    - RE: CodeRed Observations. Michał Rogala (Mar 13)
    - RE: CodeRed Observations. Rob McCauley (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - Re: CodeRed Observations. Þórhallur Hálfdánarson (Mar 14)
  - RE: CodeRed Observations. Christine Kronberg (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 14)
  - RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
    - Re: CodeRed Observations. Andrew Bates (Mar 16)
    - RE: CodeRed Observations. Rob Shein (Mar 16)
  - RE: CodeRed Observations. Christine Kronberg (Mar 19)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 16)